An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Feb. 7, 2024

Combatting Cyber Threat Actors Perpetrating Living Off the Land Intrusions

FORT MEADE, Md. - The National Security Agency (NSA) is proud to partner with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United Kingdom National Cyber Security Center (NSC-UK) on CISA’s Cybersecurity Technical Report (CTR) “Identifying and Mitigating Living Off the Land,” which provides guidance on defending against common living off the land (LOTL) techniques. This release follows a May 2023 joint Cybersecurity Advisory on LOTL techniques.
 
Rather than introducing malicious code to a system, LOTL threats use existing tools on the system to circumvent security capabilities, which makes these cyberattacks more difficult to detect and mitigate. These techniques can occur in multiple types of IT environments including on site, in the cloud, or hybrid environments. People’s Republic of China and Russian Federation state-sponsored actors often use these techniques to evade detection.
 
“Living off the land attacks have galvanized the cybersecurity community,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS). “More than half a dozen international and domestic partner organizations signed on to our previous living off the land Cybersecurity Advisory. Industry also allowed us to reference their important contributions. 
 
“Together with our partners and allies, we’re shining a light on attacks that occur in dark corners, and illustrating how the PRC behaves irresponsibly by holding civilian critical infrastructure at risk. CSAs like this arm all of us to improve defense and bring together a coalition that can do more as a group than any one of us can do alone,” said Joyce.
 
The CSA outlines how and why LOTL attacks are effective and includes best practice recommendations that are part of a multi-faceted and comprehensive approach to mitigating LOTL cyber threats. Best practices for prioritizing detection and hardening targets include implementing logging that allows for better detection of malicious LOTL activities, implementing authentication controls, maintaining user and admin privilege restrictions, auditing remote access software, establishing baseline behaviors, and refining monitoring tools and alerting mechanisms. The advisory also contains recommendations for software and technology manufacturers, technical details on threat actor activity, and information on network defense weaknesses.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Related Press Advisories

NSA and Partners Identify China State-Sponsored Cyber Actor Using Built-in Network Tools When Targeting U.S. Critical Infrastructure Sectors
NSA and Partners Spotlight People’s Republic of China Targeting of U.S. Critical Infrastructure
U.S. and Japanese Agencies Issue Advisory about China Linked Actors Hiding in Router Firmware
NSA, CISA, and FBI Expose PRC State-Sponsored Exploitation of Network Providers, Devices

Related Documents

CTR: Joint Guidance: Identifying and Mitigating Living Off the Land Techniques
CSA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
cybersecurity mitigation NSA CISA FBI lotl living off the land
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line